Editor’s Note: Asad Imam is a graduate student in the United Kingdom studying E-Business and Information Systems. He recently wrote a study about the cloud computing market. Footnotes appear at the end of the study. We have also written a summary of his report, which you can view here.
The extensive use of information and communication technology has transformed manufacturing organizations and economies into information centric and customer focused organiztions. In present times, the information about a product or customer has become as valuable to the company (in some cases even more) as the product or service [Feng Li, 2007]. However gaining information is an evolutionary process which begins with collection and storage of data to analysis and processing which is transformed into knowledge. It is this knowledge that is mission critical for organizations and their success.
It is extremely vital for an organization to ensure that at no point of operation, the data which enables it with this knowledge is compromised. To ensure this the organizations invest a significant volume of their capital to set up an IT infrastructure to Preserve, Process and Protect this most valuable asset to an organization in present paradigm, its data. However for a small and medium sized company it is extremely demanding to implement the fundamentals of this new information based economy as it requires a significant investment upfront.
For such organizations choosing cloud computing is a cost effective alternative but with obvious concerns. The most apparent concern raised is why would a company give access to all of its sensitive data to a third company [Brooks, 2008]. This is expressed by Daniel Flax (CIO, Cowen and Co.) where he states “it’s a scary concept when you just hand all of your important confidential data over to a third party” [Edwards, J. 2009]. Foster (1999) further argues that since in case of cloud computing one company will process and store data on behalf of another hence proper mechanisms must be devised to include concepts of authentication, authorization, assurance, accounting and audit so that data security, integrity and availability is not compromised.
In addition since every activity of cloud computing would be dependent on the Internet; therefore data would be sent and stored just about anywhere (data dispersion). This very fact makes the whole concept vulnerable as the data could end up in storage systems in locations where privacy and data protection laws are not robust [Edwards, 2009]; for a small Internet based company this could be catastrophic. Hence it is critical to examine and create a robust mechanism to ensure data integrity, confidentiality and availability [Brynko, 2008].
The phenomenon of cloud computing is envisaged to repeat the economic viability of the Power Grids which segregated the production, distribution and consumption of electricity as a Utility. The term ‘Utility’ and ‘Grid’ is significant to ‘cloud computing’ because these were the names of its ‘predecessor technologies’. However for cloud computing to attain such an ‘elementary’ position in the computing domain it has to overcome various traditional, legal, financial, technical and security challenges.
Challenges: The Storm in the Cloud
In the following sections attempts will be made to present these ‘challenges’ and the solutions currently employed to address them. This would be used to prepare a ground work to present how this technology has succeeded so far and its prospective future as ‘opportunities’.
The basic challenge for cloud computing is that many organizations are not even aware if such a technology exists. A recent survey in the UK made evident that more than half of UK SME’s were not even aware of cloud technologies [Moorman, 2009].
In addition it was found that for the organizations’ that were aware of the technology, for them ‘control’ was most critical. Traditionally it is considered that it is the organizations sole responsibility to preserve process and protect its data. The idea of data being remotely stored and processed is beyond imagination for many organizations. It is viewed as a compromise in ‘data control’. The concerns of such organizations is that the world of data computing will end up in hands of massive distributed computing companies such as Google, Amazon, IBM etc, and they will have exclusive control of data processing which would enable the manipulation of prices by them.
In a similar argument, Malcolm Carrie  suggests that adoption of cloud computing will directly challenge the core cultural and behavioral nature of an organization’s IT and security department. It is easily understandable that these departments are comfortable with the existing system which allows them to remain in the vicinity of their data centers, giving them a notion of better control and protection.
In other criticisms, the basic concept of cloud computing is challenged. Many organizations do not consider ‘cloud computing’ as a revolutionary technology at all; for them it is similar to travel in a vicious circle. In their opinion the term ‘cloud computing’ is a marketing ‘gimmick’ to create a hype to serve the same purpose served by centralization which was fragmented after the introduction and proliferation of PCs and servers [ Malagrino,D ;Cisco].
Concerns are raised from a different set of critiques as well, the developers. Their perspective is that cloud computing would reduce the number of computer professional and their employment prospects.
However all the above concerns can be counter argued by the harmony Microsoft has achieved through its domination of the operating systems market or Intel’s domination of the processor market and their acceptance in general. It has to be realized that cloud computing will not proliferate overnight. Adoption of cloud computing will remain a gradual process and companies would prefer to continue with current practices and add new dimensions to their existing technical backbones until all robust mechanisms are developed to ensure utmost effectiveness and efficiency.
The concept of the data residing at a remote location over the Internet with a possibility of data centers being located across different nations triggers a set of legal confrontations.
In countries such as the United Kingdom ‘Data Protection Act’ have to be taken into consideration. If a company, being a client to a ‘cloud vendor’, in its attempts for cost cutting, decides to store its customer’s information on remote data centers could end up with a potential breach of the ‘Data Protection Act’.
In addition, Angela Mari  in her article quoted Alex Hamer (partner at RPC) stating that there is a risk for a cloud user if the data about its customers is accidentally lost, damaged or stolen at a remote data storage centre. It could lead to severe claims against it by the customers or vice-versa the company would lose its ability to claim against its customers. As well as, Mr. Hamer suggested that most cloud computing vendors fail to provide a guaranteed level of data security and for the cloud ‘users’ this compromises a basic requirement they are obligated to fulfill under the DPA i.e. failure to ensure an appropriate level of security.
Yet another perspective that has to be taken into consideration that many times there are clouds within the cloud. These sub-clouds are subcontracted by the primary cloud vendor to various providers for various services such as one for storage and another for processing etc. As the user you may never be aware of their geographical location and know whether the data protection privacy laws are being honored in regards to your data, thus leaving a clear opportunity for security breaches. [Sarrel,D M,2009]. Further, one has to consider how the ownership and legal circumstances will changed should one of these subcontracted cloud vendors are acquired by another organization or in worst case by the rival company of the original client.
The legal challenges thus limits a potential cloud users choice of data that it could export to the cloud especially in case of government services who are some of the early adopters of the cloud. This is exemplified through California Public Utility commission (PUC) case in which its CIO Carolyn Lawson states that “Anything that has your name, address, Social Security number or driver’s license, we can’t put that in a cloud for privacy concerns”[Raths,D 2008].
In particular the legal challenges pose a much severe threat to the concept of cloud computing as organizations may not even consider adopting cloud computing let alone set methods to use it effectively. Thus it is extremely necessary that a cloud vendor addresses the key legal issues and provides a complete transparency in its dealings through use of comprehensive Service Level agreements. The methods to address these legal challenges are explained later in the case.
The security of the data is an instantaneous concern raised by the prospective cloud users. This is attributed to the fact that organizations are any which way affected with vulnerabilities within their traditional IT infrastructure itself and putting the data over the cloud multiplies this vulnerability.
- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -
- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -
In his article ‘Where’s the Security?’ (Matthew, D) has pointed out that security challenges in the cloud exist not only during the data storage stage but throughout the data life cycle. This means that within the cloud a data is vulnerable to threats all along the collection, transmission, processing, storage, report and export stages. Hackers or ‘Data Sleuths’ or ‘Cyber Criminals’ as one may call them have proliferated and they are always looking for opportunities exploit such vulnerabilities. The lack of a robust security mechanism within the cloud provides them ample opportunities.
In yet another perspective, hackers are a much bigger threat in terms of ‘desktop security’ problems. The primary concern is the damage that a hacker can cause by planting a virus, from a normal desktop machine of an office using cloud services which could spread across the cloud and cause data damage of catastrophic magnitude [Waters K, J, 2009].
The concern about security is further amplified by the fact that no cloud vendor in present time provides a guaranteed mechanism to ensure data security. This is further supplemented by Simon Crosby  in his article ‘Thinking about cloud? Then start internally’ where he states that no cloud vendor in present times offers the level of security required to fulfill the regulatory and audit requirements of enterprises. Often the cloud vendors would either avoid the security concerns or would suggest not uploading critical data over the cloud. Thus for potential customers, cloud computing does not help them in reducing much of their cost as they would still be required to store and maintain their critical data.
In addition, often a cloud data of a customer co-exists in a shared environment and the possibility of security loopholes or lack of proper encryption mechanisms presents a different dimension to the security issues within the cloud.
The fundamental dependence of cloud computing on the internet presents a set of technical challenges to the domain. The obvious concern is the worst case scenario where a customer could face ‘Data outage’ due to interruption in internet services. In financial terms, for a cloud consumer this could result in severe losses to the company. This concern is amplified by a report stating an increase from just one case in 2007 to 14 outages in 2008. [Mari A, 2009].
In addition there is a business challenge of ‘vendor lock-in’ that needs consideration as well. In best case scenario if adoption of cloud computing proliferates then cloud consumers would like the freedom to change their respective cloud vendors based on better offers provided by other vendors. The analogy of ‘electricity’, where customers have the freedom to choose a vendor, could be best used to describe this point of view. To implement it every cloud vendor will have to ensure for its consumers a smooth transition from one cloud to another and if it poses hurdles then a ‘potential’ consumer could find this restriction uncomfortable [Lohman T,2009].
Finally, as discussed earlier, it is understood that organizations would not migrate to the cloud instantaneously. They would like to continue using there current IT infrastructure and add cloud services as supplementary services to reduce cost and continue with the process until a complete robust and trustworthy cloud mechanism is developed. Until this is achieved it is imperative to develop techniques to integrate cloud services with current data storage and processing mechanism of an organization. The lack of such mechanisms could amplify clients concerns and prevent it from adopting the cloud.
If cloud computing intends to attain a status in computing domain similar to the ‘utility providers’ in the general world then they have to address the issues mentioned above. The above mentioned issues are not intended to indicate that every aspect of the cloud is ‘dark and stormy’. Through above attempt has been made to identify the key issues and lay a foundation for a prosperous growth of the cloud. Just as the famous English language phrase states ‘every cloud has its silver lining’ the world of cloud computing holds several promises, covered in the following section.
Opportunities: The Silver Line In The Cloud
In present circumstances where organizations are looking for methods to reduce their operation costs, cloud computing provides a cost effective alternative to reduce spending on IT infrastructure.
This advantage is further amplified in case of small and medium sized companies as it provides them a cost effective, dependable, flexible, comprehensive and time efficient alternative to run their business. Cloud computing will not just benefit the existing SME’s but will provide a ‘technological’ impetus and encourage the growth of new SME’s and benefit a nation’s economy as a whole. These SME’s could use cloud computing as part of their exit strategy; if their proposed businesses do not render economic benefits to them in the long run, then they could simply terminate their contracts with their respective cloud vendors and protect themselves from severe liabilities towards their ‘venture’ capitalists. On the contrary, if the businesses for these SME’s prosper then they can add other cloud services to ‘technologically’ complement their growth.
Further, these companies or organizations can run their IT infrastructure on a web service or cloud enabled platform and focus their energies on methods to add value for their customers rather than worry about IT infrastructure. An educational institute or university could be used as an example where the major focus of the organization should be to continuously raise the education standards of their organization rather than worry about the IT infrastructure. The case of Arizona State University (ASU) is an exemplary proof of the benefits of cloud computing to an educational organization. It adopted the Google Apps Education suite through Google’s Web services, to provide e-mail and other applications to its students.
It enabled them to provide their students with storage space of up to 6 GB each. In addition it helped them provide other features such as Google Talk and a calendar. As well as ASU is not required to update softwares, as they are done from Google’s end itself. All of this resulted in a $500,000 per year savings with students receiving high quality IT services [Raths D, 2008].
The proliferation of social networking websites such as Facebook and Twitter are proof of cloud computing’s benifits for Internet companies. Amazon Web Services provides Facebook Developers quick and easy access to AWS infrastructure to create applications.
Apart from the small companies, large technology corporations are creating ripples with their cloud offerings. In his article ‘Big Guns Suggest The Cloud Is Here To Stay’ Geoff Nairn stated that each of the major technology companies are active in the domain of cloud computing.
The involvement of such large technology companies is a testament to the promise that this new technical paradigm provides. However in order to continue with the current success and reach a state of ubiquity the issues pertinent to cloud computing have to be addressed. The following section provides some of the methods that have been employed to address these issues and possible steps that ‘potential’ cloud users can consider to comply with their regulatory and audit requirements.
The first and foremost concern is to address the issue of trust. Steven Caughey of Arjuna Technologies (www.arjuna.com) states that one should not treat trust as a binary object in terms of either a customer trust’s the cloud or it doesn’t. There should be comprehensive level of understanding and choice has to be made about the extent to which a potential cloud customer has to trust its respective vendor. He specifies that comprehensive Service level agreements (SLA) could be used as quintessential tools to clearly define the terms and conditions under an agreement between the cloud vendor and the client and thus reduce the trust deficit as much as possible. He further adds that these agreements should be dynamic and flexible so that it enables the involved entities to address any complex issue which may arise. He states that these documents should serve as Legal contracts or arrangements to build trust officially and supplement there ‘non-contractual’ relationships. Mr. Caughey further elaborates its significance stating that such agreements could help both parties build their own audit trail to cross check the compliance. [Caughey,S 2009].
The issue of trust could be addressed from a different perspective as well. As discussed earlier it is unlikely that organizations would adopt cloud computing as an absolute alternative to their existent IT infrastructure but this can be achieved gradually. Organizations that posses the capabilities could build a cloud of their own and run a selection of cloud services within the organizational premises and test for themselves whether or not severe vulnerabilities exist. Through this they can build their knowledge and faith in this technology and decide upon the possibilities of outsourcing it to a third party cloud vendor altogether [Crosby S, 2009]. One can exemplify this through current use of Citrix servers in offices. Citrix is a quintessential example of ‘Infrastructure as a Service’ where the office end users access their computer work tools by logging into their citrix accounts from their desktop terminals.
While the above measures appropriately address the trust, legal and technical challenges of the cloud, significant developments are being made to address the the security challenges as well. Networking giants Cisco have a significant role to play to address these issues. Cisco has not only started to manufacture special networking devices for cloud computing but is actively involved to address some of cloud computing security concerns. It has introduced ‘Cisco Security Cloud Services’; a SaaS designed to integrate security in the cloud and allows
Cloud services from multiple networks to connect with enterprises internal network security. It has started initiatives such as “Collaborate with Confidence”, under which it is providing cloud security services such as botnet filter and host-based intrusion prevention system (IPS). Cisco is almost synonymous to Network and Network security; their active participation in the domain would significantly reduce the security concerns of the early adopters. Apart from Cisco, IBM has conducted comprehensive research and based on it they are willing to offer security services to cloud based service providers. In addition IBM has introduced a virtual appliance called “the Proventia Virtualized Network Security Platform”, which combines an IPS, Web app protection and network policy enforcement into a single service. [Waters K,John 2009].
The concept of cloud computing could be viewed as a disruptive innovation which challenges the norm and forces organizations to think out of the box. Just as any other disruptive innovation the cloud also provides organizations to identify it as an emerging opportunity, around which they can develop their strategic responses [Li, F 2009].
It is understandable that currently odds are stacked against the cloud. However success of Amazon Web Services and the proliferation of its users is an indication of its constant growth and progress.
Just as every coin has two sides, cloud computing has its promises and challenges. The case study above was an attempt to highlight its promises and challenges. As stated earlier the ultimate goal of cloud vendors whether big or small, is to repeat the success of ‘Power grids’. However in order to attain such an elementary position in the domain of computing world, significant efforts will have to be made to deliver more of the promises and address the threats with conviction. Thus allow this new “torch bearer” of information & communication technology to be looked as an integral part amongst organizations.
Further Reading –
- Angelica Mari, Cloud computing could bring security threats Serious data security implications could result from service outages Available from world wide web: http://www.computing.co.uk/computing/news/2237013/cloud-computing-bring security
- Arnold, S.(2008, November) A risky cloud approach KM World, pp.1, 24. Retrieved November 26, 2008, from Business Source Premier database.
- Brooks, J (2008, October) Concerns over the cloud eWeek Vol. 25 Issue 31, p42-42, 1p. Retrieved November 26, 2008, from Business Source Premier database
- Brynko, B(2008, November) Cloud computing Knowing the ground rules Information Today; Vol. 25 Issue 10, p23-23,1/4p. Retrieved November 26, 2008, from Business Source Premier database.
- Crosby S, Adopting the cloud? Then start internally [Accessed 16th April 2009] Available from world wide web: http://www.ft.com/cms/s/0/1fdb0e2c-08ce-11de-b8b0-0000779fd2ac,dwp_uuid=3bd54f56-21cb-11dd-a50a-000077b07658.html
- Edwards, J.(2009, February 23). Cutting Through the Fog of Cloud Security. Computerworld,43(8), 26-29. Retrieved March 17, 2009, from Business Source Premier database
- Ferguson,(2008, October) The future of cloud computing eWeek,Vol. 25 Issue 30, p17-17, 1p Retrieved November 26, 2008 from Business Source Premier database
- Ganek A, The Cloud: a leap created from combining existing technologies Published: April 30 2009. [Accessed 15th April 2009] Available from world wide web: http://www.ft.com/cms/s/0/9a25295c-1ddb-11de-830b 00144feabdc0,dwp_uuid=3bd54f56-21cb-11dd-a50a- 000077b07658.html
- Geelan, J., 2009. Twenty-One Experts Define Cloud Computing: It is the infrastructural paradigm shift that is sweeping across the Enterprise IT world, but how is it best defined? Cloud Computing, Journal [Online]., Available at: http://cloudcomputing.sys-con.com/node/612375 (SYS-CON Media, Inc)
- [Accessed 17th May 2009].
- Joseph, A., 2009 Winning with the cloud The Financial Times,[Online]., Available at: http://www.ft.com/cms/s/0/3469c4da-1893-11de-bec8-0000779fd2ac.html ( The Financial Times Limited)
- [Accessed May 17th 2009]
- Kevin, H., 2009 What is Cloud Computing?:The cloud is a virtualization of resources that maintains and manages itself, Cloud Computing, Journal [Online]., Available at: http://cloudcomputing.sys-con.com/node/579826 (SYS-CON Media, Inc)
- [Accessed May 17th 2009]. Leach J, The Rise of Service Oriented IT and the Birth of Infrastructure as a Service | CIO – Blogs and Discussion.[accessed 21st April 2009].Available from World Wide Web: http://advice.cio.com/jim_leach/the_rise_of_service_oriented_it_and_the_birth_of_infrastructure_as_a_service.
- Lohman T, New security threats, data integration, affecting cloud adoption Available from world wide web: http://www.cio.com.au/article/296936/new_security_threats_data_integration_affecting_cloud_adoption [Accessed 10th April 2009].
- Li,F (2007) What is e-business?: How the internet transforms organizations Blackwell publications
- Nairn G, Big guns suggest the cloud is here to stay [Accessed 16th April 2009] Available from world wide web: http://www.ft.com/cms/s/0/cc234f72-2e4f-11de-b7d3-00144feabdc0.html
- Raths D, Government Remains Skeptical About Cloud Computing ,Oct 16, 2008.[Accessed 14th April 2009].Available from world wide web: http://www.govtech.com/gt/articles/422107
- Sarrel D M,The Darker Side of Cloud Computing.[Accessed 10th April 2009]Available from world wide web: http://www.pcmag.com/article2/0,2817,2330921,00.asp
- Where the cloud meets the ground (2008, October 25) Economist, Retrieved December 4, 2008, from Business Source Premier database